Remote PowerShell Session (PS Module)

Detects remote PowerShell sessions

Sigma rule (View on GitHub)

 1title: Remote PowerShell Session (PS Module)
 2id: 96b9f619-aa91-478f-bacb-c3e50f8df575
 3status: test
 4description: Detects remote PowerShell sessions
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
 7author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 8date: 2019-08-10
 9modified: 2023-01-20
10tags:
11    - attack.execution
12    - attack.t1059.001
13    - attack.lateral-movement
14    - attack.t1021.006
15logsource:
16    product: windows
17    category: ps_module
18    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
19detection:
20    selection:
21        ContextInfo|contains|all:
22            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte =
23            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte =
24    filter_pwsh_archive:
25        ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
26    condition: selection and not 1 of filter_*
27falsepositives:
28    - Legitimate use remote PowerShell sessions
29level: high

References

Related rules

to-top